Pratum Blog

Internet Mesh with text overlayed: The Basics of HITRUST CSF

If it seems like you’re devoting more hours every month to reassuring partners that they can trust you, you’re not alone. In modern supply chains, companies regularly entrust their data to other organizations. HITRUST CSF is one of many compliance frameworks that aim to make everyone feel better about that data sharing. HITRUST CSF and other frameworks create objective industry standards for measuring another organization’s information security maturity. HITRUST CSF originated in the healthcare industry, but it’s a powerful framework that’s gaining traction in more fields, so it’s worth understanding how it may work for you.

HITRUST CSF’s Origins

The framework began in healthcare in 2007, when the HITRUST Alliance released its CSF (Common Security Framework). Like other frameworks and compliance protocols (such as SOC 2, PCI, HIPAA, GDPR and many others), HITRUST CSF provides objective criteria for measuring how an organization secures data. It also carries the added weight of third-party validation at its higher levels. That reassures your partners that you’re not just saying you have the right controls and policies in place; a third-party assessor has confirmed it. With a third-party certification like HITRUST CSF in hand, you can streamline many vendor security checks down to sending them a copy of your certificate rather than answering a long list of questions. A popular phrase describes this advantage as “assess once; report many.”

Because of HITRUST CSF’s healthcare roots, it naturally draws comparisons to HIPAA. One key difference is that HIPAA is a federal law, while HITRUST CSF is an industry-created standard. Also note that HIPAA is a self-attestation, meaning a company’s partners have no validation that an organization is actually doing what they say. HIPAA also contains a lot of subjectivity, leaving organizations to ask each partner exactly what they mean when they say “we comply with HIPAA.” Because HITRUST CSF is a detailed, objective standard focused on risk management, you know what it means when you see that certification. If you earn HITRUST CSF certification, you will definitely have covered your HIPAA requirements.

When organizations have a choice about which framework to use to satisfy client requests, they frequently compare HITRUST CSF to SOC 2. For most organizations, Pratum recommends starting with SOC 2 unless your partners are specifically requiring HITRUST. SOC 2 certification requires less time and expense, and SOC 2 allows more flexibility in defining your own control activities.

HITRUST CSF is gradually gaining traction outside the healthcare industry, and when version 10 arrives in the spring of 2021, it will include some new language targeted at making it applicable to more industries.

How HITRUST CSF Works

CSF contains 19 domains and 135 controls and offers three Implementation Phases that all build on each other. (In other words, if you reach Phase 3, you’ve covered everything in Phase 1 and 2.) The three phases of HITRUST are:

1

HITRUST CSF Readiness Assessment – Using the MyCSF online portal, you’ll walk through the framework yourself and receive a CSF Self-Assessment Report. Many companies hire an Authorized CSF Assessor to help with this process, which typically takes about six months.

2

HITRUST CSF Validated Assessment – This phase requires you to hire a third-party Authorized External Assessor organization, whose work normally includes an onsite visit. The assessor submits their report to HITRUST within the MyCSF tool and HITRUST then issues a Validated Report. This process normally takes another six months.

3

HITRUST CSF Certification – At this phase, HITRUST actually reviews and certifies the organization’s entries and the assessor’s validation. This process can take 3-4 months.

Why Would You Use HITRUST CSF?

The most common driver for choosing any information security framework is that your customers demand it. In the healthcare space, some major companies such as Humana, CVS Caremark, United Healthcare Group and others refuse to work with any vendors until they complete a HITRUST CSF certification. In those cases, using HITRUST CSF is an easy decision, even if it’s not an easy process.

But many companies that have a choice in the matter are embracing HITRUST CSF, too. One of this framework’s advantages is the fact that if you’re working with partners across industries, you can use HITRUST for many of them. That can save you from trying to figure out the Venn diagram of multiple industry-specific frameworks. It also saves time and money because a single HITRUST certification may save you from complying with several other standards at the same time.

The HITRUST CSF Process

You should know at the outset that earning HITRUST CSF certification is a big undertaking. It requires about a year of work and a significant investment—$100,000 and up for most organizations. So the decision to pursue it obviously requires analysis of the business opportunities it will create for you (or preserve, if key clients are demanding you get it).

The process looks like this:

1. Scoping – You’ll start by using the framework’s system and organizational factors to scope your engagement. You’ll buy a license to HITRUST’s MyCSF online portal and fill out a detailed scoping questionnaire that leverages factors such as how much data you handle, how many active users you have, etc., to produce a list of the controls that will apply to you.

2. HITRUST CSF Readiness Assessment – Using MyCSF, you’ll do a thorough self-attested assessment of your current controls and policies. At this stage, you’ll be gathering documents, researching how you handle data and uploading documents and information to MyCSF. HITRUST reviews your submission to confirm that all the correct information is present and then issues a HITRUST CSF Readiness Assessment Report.

3. HITRUST CSF Validated Assessment – Now you’re ready to engage an Authorized External Assessor organization for a third-party validated assessment to affirm that the work you’ve done during the readiness assessment phase is still accurate and legitimate.

4. HITRUST Review – Through MyCSF, the External Assessor will submit their report to HITRUST for quality assurance review and the issuance of a HITRUST CSF Validated Assessment Report, which is valid for two years. To ensure you’re staying on track, your External Assessor will do a HITRUST CSF Interim Assessment after one year by testing some sample control requirements from across the 19 CSF domains.

HITRUST allows you to write corrective action plans (CAPs) for any areas where you fall short in your assessment. Typically, you’ll be expected to provide evidence in a year at the Interim Assessment that you’re taking meaningful action on your corrective action plan(s). And keep in mind that if you earn your certification with dozens of corrective action plans listed, your partners may decide that you have a long way to go and debate whether they can trust you with their data.

How Pratum Can Help

Pratum’s consultants specialize in a wide range of compliance frameworks and have assisted multiple clients with their HITRUST CSF journeys. Our consultants can assist IT teams with readiness assessments, identifying gaps and CAPs to implement new controls. HITRUST CSF puts a premium on seeing specific language in your policies, and our consultants can help ensure that you write them correctly.

Pratum also supports organizations during the validation stage. We’ll help interpret questions from the assessors and serve as your liaison to ensure that you can answer questions accurately and make your case when you feel an assessor may be viewing something incorrectly.

We’re eager to answer your questions as you consider whether HITRUST CSF is a smart investment for your organization. Please contact us today.


The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.